Security techniques for device assisted services

ABSTRACT

Security techniques for device assisted services are provided. In some embodiments, secure service measurement and/or control execution partition is provided. In some embodiments, implementing a service profile executed at least in part in a secure execution environment of a processor of a communications device for assisting control of the communications device use of a service on a wireless network, in which the service profile includes a plurality of service policy settings, and wherein the service profile is associated with a service plan that provides for access to the service on the wireless network; monitoring use of the service based on the service profile; and verifying the use of the service based on the monitored use of the service.

BACKGROUND OF THE INVENTION

With the advent of mass market digital communications, applications and content distribution, many access networks such as wireless networks, cable networks and DSL (Digital Subscriber Line) networks are pressed for user capacity, with, for example, EVDO (Evolution-Data Optimized), HSPA (High Speed Packet Access), LTE (Long Term Evolution), WiMax (Worldwide Interoperability for Microwave Access), DOCSIS, DSL, and Wi-Fi (Wireless Fidelity) becoming user capacity constrained. In the wireless case, although network capacity will increase with new higher capacity wireless radio access technologies, such as MIMO (Multiple-Input Multiple-Output), and with more frequency spectrum and cell splitting being deployed in the future, these capacity gains are likely to be less than what is required to meet growing digital networking demand.

Similarly, although wire line access networks, such as cable and DSL, can have higher average capacity per user compared to wireless, wire line user service consumption habits are trending toward very high bandwidth applications and content that can quickly consume the available capacity and degrade overall network service experience. Because some components of service provider costs go up with increasing bandwidth, this trend will also negatively impact service provider profits.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.

FIG. 1 illustrates a secure execution environment for device assisted services in accordance with some embodiments.

FIG. 2 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 3 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 4 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 5 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 6 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 7 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 8 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 9 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 10 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

FIG. 11 illustrates another secure execution environment for device assisted services in accordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

In some embodiments, security techniques for device assisted services are provided. In some embodiments, secure service measurement and/or control execution partition techniques for device assisted services are provided. In some embodiments, a secure execution environment for device assisted services is provided. In some embodiments, a secure stack for device assisted services is provided. In some embodiments, a secure memory for device assisted services is provided. In some embodiments, a secure modem for device assisted services is provided (e.g., providing a secure communication link between the modem/modem driver and a service processor and/or agent on the device, such as a communications device or an intermediate networking device). In some embodiments, one or more secure monitoring points for device assisted services are provided. In some embodiments, one or more secure monitoring points with verification for device assisted services are provided (e.g., a secured monitoring point can be provided in a modem, which communicates securely to a secured execution environment in a CPU/processor, which can then verify such service usage measures). In some embodiments, a secure bus for device assisted services is provided. In some embodiments, a secure execution environment in the CPU/processor for device assisted services is provided. In some embodiments, secure access to a secure execution environment(s) for device assisted services is provided (e.g., securing communication from a bottom of the stack, such as modem drivers, which require credentials to access the bus as controlled by a service processor or secure agent on the device, and in which the traffic on the bus is encrypted). In some embodiments, various secure execution environments for device assisted services are provided using various hardware partition techniques (e.g., secure memory, secure modems, secure memory partition(s) in the CPU/processor), as described herein.

In some embodiments, device assisted services (DAS) provide for one or more of device based service usage measurements, service usage policy implementation, service usage accounting, service usage control, and any of the other functions described in various embodiments that assist, replace, and/or augment network based functions. For example, various DAS embodiments perform one or more of the following: facilitate and control activation to one or more access service networks; measure access and/or service usage on one or more access networks; control access and/or service usage on one or more access networks; account for different types of service usage on one or more access networks; implement quality of service (QOS) controls, collect and report QOS traffic demand, aggregate multiple device QOS demand reports to assess a measure of overall network QOS demand, and/or facilitate QOS resource allocation; and/or facilitate roaming between access networks. There are many more functions and embodiments for DAS as described with respect to various embodiments.

In some embodiments, various program/functional elements that perform the functions to implement various DAS embodiments are referred to herein as DAS agents or device assisted service agents, or in some embodiments, more specific terms are used to be more descriptive in specific examples. In some embodiments, device assisted service agent functions include service measurements and/or service measure recording and/or service measure reporting (e.g., to the service controller, the device, the user, or other device agents) and/or service measure synchronization (e.g., between device and network). In some embodiments, device assisted service agent functions include service usage controls and/or service usage control policy settings. In some embodiments, service usage controls include one or more of network authorization, network authentication, network admission, access control, service usage activity classification, allowing or disallowing one or more service usage activity and traffic shaping for one or more service usage activity.

In some embodiments, device assisted service agent functions include one or more of the following: reporting service usage to QOS control elements in the network, receiving QOS assignment from the network, reporting QOS assignments to the network, and/or communicating with QOS service reservation elements in the network. In some embodiments, device assisted service agent functions include one or more of implementing QOS service controls on the device based on one or more of the following criteria: fair queuing of service usage activities, differentiated QOS based on an assigned QOS hierarchy of service usage activities, service usage activity QOS assignments from the network for one or more service usage activities, service usage activity policy directives from the network for one or more service usage activities.

In some embodiments, a service control link is used for communication between the device assisted service agents and the service controller. In some embodiments, the service control link is a secure link (e.g., an encrypted communication link).

In some embodiments, the device assisted service agent functions include device assisted service system communication, measuring and/or recording and/or reporting and/or synchronizing service measures, observing communicating information for service control integrity, communicating information for service control policy instructions and/or settings, or updating device assisted software and/or agent settings.

In some embodiments, device assisted service on the device includes the following: service measurements, service controls, user interface and usage reporting, user policy options, accept policy instructions, protected execution partition provided to prevent hacking, malware, errors, and other security techniques. In some embodiments, device assisted service on the server includes one or more of the following: set policy, set configurations, install/update agents, check usage versus policy, check proper operation of agents, synchronize usage from network to device, and other verification techniques. For example, when errors in policy enforcement are detected, servers can perform actions to either further observe, quarantine, or suspend the device.

In some embodiments, a control server/control service network element receives service measures from the device. In some embodiments, the control server/control service network element receives service measures from the network. In some embodiments, the control server/control service network element sets policies and manages service across multiple networks (e.g., while one modem is shown in various figures, multiple modems can be employed for multiple networks with consistent service usage measures, service controls, QOS controls, UI (User Interface), user preferences, user usage reporting, and/or other settings/controls across different networks).

In some embodiments, traffic type refers to one or more of the following: best effort network traffic, real-time traffic (e.g., live voice such as VOIP, live video, etc.), streaming traffic, multi-cast traffic, uni-cast traffic, point to point traffic, file types, traffic associated with an application, real time traffic, traffic with an assigned priority, traffic without an assigned priority, and traffic for a certain network.

In some embodiments, service usage activity refers to a usage of service by a device. In some embodiments, service usage activity can be one or more of connection to an access network, connection to certain destinations, URLs or addresses on a network, connection to the network by one or more applications, transmission of certain types of traffic, a type of transaction based service, a type of advertising based services, or a combination of one or more of the following: an application type, a network destination/address/URL, a traffic type, and a transaction type.

In some embodiments, protection of the device assisted service agents/functional elements to protect the functions that perform the device assisted functions is provided with a protected execution partition on the CPU (Central Processor Unit), APU (Auxiliary Processor Unit), or another hardware based processor. For example, such hardware protected execution capabilities in the CPU, APU, or other processor can be combined in some embodiments with either OS software functions or other native mode software functions to create secure program execution partitions as described herein. In some embodiments, the term host is used to refer to the hardware and firmware and/or software system that executes the device applications and networking stack. In some embodiments, some of the device assisted service agents/functions are implemented in a modem execution partition environment.

FIG. 1 illustrates a secure execution environment 100 (e.g., for a communications device) for device assisted services in accordance with some embodiments. As shown in FIG. 1, the device execution environments include program/functional elements for a communications (e.g., a communications device can be an intermediate networking device, such as 3G/4G WWAN to WLAN bridges/routers/gateways, femto cells, DOCSIS modems, DSL modems, remote access/backup routers, and other intermediate network devices, or a mobile communications device, such as a mobile phone, a PDA, an eBook reader, a music device, an entertainment/gaming device, a computer, laptop, a netbook, a tablet, a home networking system, and/or any other mobile communications device) device that utilizes the modem subsystems #1 (125) through #N (127) to connect to one or more of the access networks #1 (136) through #N (138). In some embodiments, a communications device includes multiple program execution partitions. As shown in FIG. 1, four execution partitions are provided: an application execution partition 102 in which, for example, application programs execute, a kernel execution partition 112 in which, for example, the lower level drivers and basic low level OS programs execute, a protected device assisted service (DAS) execution partition 114 (also referred to as protected DAS partition) in which, in some embodiments, some or all of the device assisted service agents and/or functions execute, and a modem execution partition 124 in which, for example, the modem program elements execute and, in some embodiments, some or all of the device assisted service agents and/or functions execute. In some embodiments, each of these execution partitions are optimized for different software functions, each providing programs with the basic physical memory, data memory, CPU or APU or modem processor execution resources, high level and/or low level OS, memory management, file storage, I/O device resources (e.g., user interface (UI), peripherals, etc.), network communications stack, other device resources, and/or other resources that are required or used for operation of the programs. The collection of these hardware and software resources for the CPU or APU is sometimes referred to herein with the term host.

As shown, FIG. 1 illustrates an application execution partition 102 and a kernel execution partition 112, which are shown as separate partitions within the device execution environments. For example, this separation is based on the manner in which “kernel programs” (e.g., drivers and network stack, etc.) are commonly supported as compared to “application programs” (e.g., browsers, word processors, user interfaces, etc.) within the context of several different popular operating systems (OS) (e.g., Windows, UNIX, Linux, MAC OS, certain mobile device OSs, certain embedded device OSs, etc.). In some embodiments, this functional separation is not required, and, in some embodiments, other functional separations are supported.

As shown in FIG. 1, protected device assisted service agents, such as the protected DAS partition device assisted service agents 110, execute in the protected DAS partition 114 while unprotected device assisted service agents and/or OS networking stack elements and applications (e.g., applications 106A through 106C) execute outside of the secure device assisted service execution partition 114, such as the application partition device assisted service agents 104 and the OS networking stack and/or kernel partition device assisted service agents 108. For example, the protected DAS partition 114 can make it more difficult for a hacker, malware or system errors to compromise, attack or modify the device assisted service measurements, service policy implementation or service usage control operations on the device (e.g., communications device). In some embodiments, the protected DAS partition 114 need not support open access to all programs and OS elements so that it can be easier to protect. Also, as shown, a bus driver 116 in the application execution partition 102 provides for communication with a modem bus 120, which is in communication with a bus driver 121 in the modem execution partition 124. The protected DAS partition also includes a host service control link 118, which facilitates communication with a host secure channel 150 as shown.

In some embodiments, the protected DAS partition 114 is a protected execution partition on the main device that is supported by certain configurations in the host (e.g., a secure virtual execution environment or a separate hardware security function). For example, this protected execution partition can be used to provide added service measurement integrity and/or service control integrity for a device assisted service enabled device. In some embodiments, as described herein, the operating system (OS) also performs a role in establishing the protected execution partition for secure operation of device assisted services, and, in some embodiments, this role is performed by native software or firmware operating on secure hardware elements.

In some embodiments, the DAS agents responsible for maintaining service control integrity execute in the protected DAS partition 114. For example, the protected DAS partition device assisted service agents 110 can include one or more of the following: one or more service usage measurement functions; some or all of the device networking stack functions that are monitored and/or controlled by the device assisted services system; device drivers that interface to an OS networking stack to observe or manipulate stack traffic; access control integrity functions; service policy control functions; service UI functions; application identification functions, and/or functions to classify service usage activities by combinations of application, address/URL and/or traffic type; modem bus driver functions; and/or modem data encryption functions to prevent other unauthorized programs from bypassing the device assisted service measurements and/or controls by directly accessing the modem around the stack. In some embodiments, the system designer or a given set of design criteria determine which of the various described device assisted agent functions should be executed in protected DAS partition 114 to strengthen the service control integrity for the system.

In some embodiments, the device operating system provides for the protected DAS partition 114 in addition to conventional security features available in the operating system. In some embodiments, the protected DAS partition 114 provides an execution partition with increased program execution protection in which, for example, service measurement and/or service control programs (agents) can execute in a mode that provides for higher access control integrity (e.g., proper service usage reporting and/or service measurement and/or service control system operation with increased protection from attacks, errors, malware, etc.). In some embodiments, a hardware assisted secure execution partition provides for increased program execution protection for device assisted service agent functions.

In some embodiments, a service control link (e.g., host service control link 118 via host secure channel 150 to network service control link 152) is used for communication between the device assisted service agents and a service controller 122. In some embodiments, the service control link is a secure link (e.g., an encrypted communications link). In some embodiments, an encrypted secure control link can be implemented over the higher layers of the network stack (e.g., TCP, HTTP, TLS, etc.), and, in some embodiments, the encrypted link can be implemented over lower layers in the network stack, such as the IP layer or the access network layers (e.g., the WWAN device management channels or signaling layers). In some embodiments, service control link security is provided at least in part by encrypting link traffic between the device and the service controller 122. In some embodiments, service control link security is provided at least in part by running the service control link device side program agents in the protected DAS partition 114. In some embodiments, service control link security is achieved at least in part by restricting access to the service control link to certain device assisted service agents that are allowed to communicate with the service controller 122. In some embodiments, the agents that are allowed to communicate with the service control link perform such communications using encrypted communications. In some embodiments, the encrypted communications is accomplished with a secure inter-agent communication bus on the device. In some embodiments, the only mechanism for modifying the configuration of the operation, execution code, execution instructions and/or settings of certain device assisted service processor agents executing in the protected DAS partition 114 is through the service control link. In some embodiments, the only mechanism for modifying any program elements executing inside the protected DAS partition 114 is through the service control link so that only the service controller 122 may modify the operation or service policy settings for the agents located in the service measurement and/or service control execution partition.

As shown in FIG. 1, various server functions within the service controller 122 are provided. In some embodiments, a service history server 158 collects service usage measures from one or more of the device DAS agents and/or from various sources of potential network based service usage databases, such as the access network service usage 142 (e.g., carrier charging data record (CDR) systems), private network service usage 144 (e.g., MVNO or enterprise network service usage accounting system), and/or billing, mediation service usage log, reconciliation 148 (e.g., service provider billing or mediation system). In some embodiments, an access control integrity server 156 is used to compare various access control verification checks to ensure that the device assisted service agents have not been compromised. The various embodiments used in the access control integrity server 156 to perform these integrity checks are described with respect to various embodiments. Some embodiments include comparing device based service usage measures versus the service usage that should result if the desired service policy were properly implemented, comparing device based service usage measures versus the service usage that should result if the desired service policy were properly implemented with device based service usage measures that are executing in the protected DAS partition 114 and/or the modem execution partition 124, comparing network based service usage measures versus the service usage that should result if the desired service policy were properly implemented, and comparing network based service usage measures with device based service usage measures. In some embodiments, a policy control server 154 stores policy settings for the various service plans that can be implemented on the device, and communicates the appropriate policy settings to the appropriate device DAS agents.

In some embodiments, the service controller 122 has secure access to service measures, service control settings, software images, software security state(s), and/or other settings/functions, for example, by virtue of the hardware enhanced execution partition and the secure channel into the protected DAS partition 114. For example, the host secure channel 150 can be encrypted employing keys that are public/private or point to point private. Also, other link security, for example, can be implemented as described herein. For example, servers can ensure that the link remains authenticated and information is validated. For example, the service controller can perform one or more of the following verification techniques: compare the monitored service usage versus the policy, compare the monitored service usage versus other service usage measures and/or combined with various other network service usage measures.

In some embodiments, the protected DAS partition 114 includes a host service control link 118 as shown in FIG. 1 that works in combination, that is, in communication with a network service control link 152 to send and receive secure messages between the service controller and the host via a host secure channel 150. In some embodiments, the protected DAS partition 114 only accepts new program images from the service controller 122 and not from local programs or disks. In some embodiments, the protected DAS partition 114 cannot communicate with other applications and/or kernel programs. In some embodiments, the protected DAS partition 114 can also communicate with other applications and/or kernel programs but only to gather information or to set settings. In some embodiments, the protected DAS partition 114 can also communicate with other applications and/or kernel programs but only through a restricted encrypted communication bus that restricts outside program access to protected programs or agent functions, and can also restrict the agents inside of the protected partition from accepting unauthorized information or code modifications from programs outside the protected partition. Various other security techniques can be provided for the DAS execution environments as will be apparent to one of ordinary skill in the art in view of the embodiments described herein.

In some embodiments, the protected DAS partition 114 is created by employing CPU or APU hardware security features in addition to or in alternative to other software security features (e.g., virtual execution partitions) that can be provided by the operating system and/or other software. In some embodiments, the host hardware security features are provided with the operating system secure kernel operating modes. In some embodiments, the host hardware security features used for secure device assisted service execution partition operation are independent of the operating system kernel (e.g., implemented in secure program partitions in a separate secure program area not directly controlled by the OS and/or software that does not have access to the partitions).

In some embodiments, the hardware security features that support the protected DAS partition 114 include preventing other elements on the device from writing and/or reading certain memory areas reserved for device assisted service agents and/or control link functions. In some embodiments, this memory protection function is accomplished by locating the memory in a secure hardware partition that cannot be accessed by unauthorized device program elements (e.g., a separate bank of isolated memory space within the host CPU). In some embodiments, this memory protection function includes encrypting traffic to and from memory so that only authorized device program elements posses the counterpart encryption capability to access the memory. In some embodiments, the mechanism to access device assisted service agent memory and/or certain data elements is restricted to authorized device assisted service agents and/or the service controller via the service control link so that unauthorized program elements on the device cannot alter the device assisted service agent code and/or operation.

In some embodiments, the hardware security features that support the protected DAS partition 114 includes preventing unauthorized elements on the device from accessing the protected storage and/or file storage (e.g., “protected storage,” such as disk storage, non-volatile memory, embedded non-volatile memory, such as NVRAM, flash or NVROM, securely embedded non-volatile memory, and/or other types of storage) that is used to store the device assisted service agent programs. In some embodiments, this protected storage is maintained within the secure hardware partitions that also execute one or more of the device assisted service agents so that only authorized device assisted service agents have access to the storage locations. In some embodiments, the images that are stored in such protected file storage must be properly encrypted and signed for a boot loader to authorize loading the device assisted service agent programs into execution memory, and in some embodiments, if the images are not properly signed then an access control integrity error is generated and/or the program is not loaded. In some embodiments, such properly signed DAS images can only be obtained from the service controller. In some embodiments, such DAS images can only be loaded into protected file storage by the service controller. In some embodiments, the hardware security features that prevent unauthorized elements on the device from accessing the protected file storage include encrypting all traffic to and from the secure storage so that only authorized device program elements possess the counterpart encryption capability to access the storage. In some embodiments, access or access rights to re-program a device assisted service agent program store is restricted to the service controller via the service control link so that unauthorized program elements on the device are not authorized to alter the device assisted service agent code and/or operation.

In some embodiments, the hardware security features that protect device assisted service agent storage include a protected DAS partition in which an access control integrity agent function is isolated from other device program elements, and a secure service control link is also isolated in a similar manner, and the access control integrity agent scans the execution memory, data memory and/or file storage used by one or more device assisted services agents to measure and/or control services. In some embodiments, the purpose of the scan is to detect changes to the device assisted service agent code and/or data. In some embodiments, the purpose of the scan is to detect other unauthorized program elements or data that may be present in reserved or protected areas used for device assisted service agent execution. In some embodiments, reports of such scan audits are reported over the service control link to the service controller for further processing by use of cloud based resources to identify access control integrity violations. In some embodiments, the access control integrity agent functions include one or more of hashing other device assisted security agents, querying other device assisted security agents, observing the operation of other device assisted security agents or monitoring service measures and then either evaluating the results locally on the device to determine if they are within pre-defined allowable parameters or sending at least some of the results to the service controller for further analysis via the service control link. In some embodiments, the scan audits are compared with earlier versions of the scans to compare code configuration or operational characteristics. In some embodiments, the scan audits are compared against known databases for the code or operational characteristics that should be present in the DAS agents.

In some embodiments, an access control integrity agent, or a new version of the access control integrity agent can be downloaded by the service controller over the secure service control link. For example, this technique provides for a real time assessment of device service control security state as described above in the event that corruption or compromise of the secure device assisted service agent(s) has occurred. In some embodiments, the access control integrity agent that is downloaded can have a different configuration and/or operation than any agent previously loaded onto the device so that it is difficult or impossible for a hacker or malware to spoof the operation of the agent in a short period of time. For example, by requiring the agent to report security assessments back to the server in a period of time that is typically less than what is required to spoof the agent, the agent will either report back an accurate assessment of device status or will be blocked by a hacker or malware, and both of these conditions can provide the information required to take action if the device assisted services system has been corrupted or compromised.

In some embodiments, the protected DAS partition and/or the modem execution partition can be used to securely store some or all of the device credentials that are used for one or more of device group association, activation, authorization to the access network and/or the DAS network, service level, and service usage accounting and/or billing.

In some embodiments, the modem subsystem also includes DAS elements that strengthen the access control integrity of the DAS system. As shown in FIG. 1, one or more modems can include, in some embodiments, DAS agent functions labeled modem partition DAS agents 126. The modem execution partition 124 of the modem sub system #1 (125) of the modem execution partition 124 includes modem partition DAS agents 126 in communication (e.g., secure communication, such as using encrypted communications) with a modem 128 and a modem service control link 130, which is in communication with the network service control link 152 via the modem secure channel #1 (132), as shown. Also, the modem 128 is in communication (e.g., secure communication, such as using encrypted communications) with the access network #1 (136), which is in communication with the access network service usage 142 and the Internet 140, which is in communication with a private network 146, which is in communication with the private network service usage 144, as shown.

Example embodiments for DAS agent functions that execute in the modem execution partition include modem encryption and modem service usage measures. In other embodiments, the modem execution partition can also include higher level DAS agent functions, such as stack traffic classification, stack manipulation, access control, and/or traffic control. For example, the modem execution partition can also include a full service processor that is fully capable of managing all aspects of service usage measurement and/or service control. It will now be apparent to one of ordinary skill in the art that the modem execution partition can employ a number of the service security embodiments described in the context of the protected DAS partition, for example, to enhance the service integrity of the DAS system. For example, the DAS agents on the modem can be stored in an encrypted and signed format on non-volatile (NV) memory on the modem that is only accessible by the network service control link or by a local secure control link from the protected DAS partition to the modem execution partition. As shown in FIG. 1, a separate secure modem control channel (e.g., modem secure channel #1 (132) through modem secure channel #N (134)) that is distinct from the host secure control channel 150 is provided. This separate modem control channel can either be implemented over the higher network layers of the device or over the lower access network layer so that special access to access network resources is required to even connect to the modem DAS agents 126 thereby further enhancing service control related security.

In some embodiments, the protected DAS partition provides for performing the DAS agent functions required for parental controls, enterprise WWAN management controls or roaming controls, and/or usage reporting in the protected execution space. In view of the DAS embodiments described herein, it will now be apparent to one of ordinary skill in the art how to implement such protected controls for these various and other application scenarios.

In some embodiments, a protected DAS partition provides for performing a virtual machine (VM) on top of a secure machine. The device application OS that is accessible by software that can be installed without special permissions can be isolated from the secure hardware and/or OS that is running under the VM. Using these techniques, malware can be “cocooned in” on the VM OS rather than “walled out” as discussed with respect to various embodiments described herein.

In some embodiments, communication between program/functional elements outside of the protected DAS partition to DAS agents inside the protected DAS partition is controlled by a secure encrypted channel. In some embodiments, only programs/functions that have access to communicate with DAS agents are allowed to do so, and, in some embodiments, even these outside programs are not allowed to modify the DAS agent configuration, only to report information and/or receive information.

For example, various embodiments can be used to connect to multiple access networks through multiple modems, with each modem potentially being associated with a different set of DAS service policies corresponding to the different types of access networks supported. In some embodiments, such as for 3G/4G modems, WWAN/WLAN modems, and various other multiple modem embodiments, the multiple modems can also be provided on the same multi-mode modem subsystem rather than on different modem subsystems.

In some embodiments, the various techniques and embodiments described herein can be readily applied to intermediate networking devices as will now be apparent to one of ordinary skill in the art. For example, an intermediate networking device can includes some or all of the DAS agents for managing, controlling, and/or measuring service usage for one or more devices in communication with a wireless network via the intermediate networking device, in which the DAS agents can be executed in secure execution environments or secure execution partitions using the various techniques described herein. In some embodiments, intermediate networking devices include, for example, WWAN/WLAN bridges, routers and gateways, cell phones with WWAN/WLAN or WWAN/Bluetooth, WWAN/LAN or WWAN/WPAN capabilities, femto cells, back up cards for wired access routers, and other forms/types of intermediate networking devices.

FIG. 2 illustrates another secure execution environment 200 for device assisted services in accordance with some embodiments. In particular, FIG. 2 illustrates an embodiment in which DAS agents do not actually replace the OS network stack elements, but instead one or more DAS agents include device driver programs that interface into the network stack and pass (e.g., securely communicate) traffic information or actual traffic back and forth with the stack. These device driver interface constructs are labeled OS driver framework and interface 208 as shown in FIG. 2. Example OS system constructs that provide for this type of architecture for DAS agents include Windows NDIS and/or TDI drivers, Windows Filter Platform (WFP), Berkeley Packet Filter, ipfw (e.g., a BSD packet filter that can be used for various OSs, such as Unix, Linux, MAC OS), and/or other platforms/programs performing these or similar functions. While these OS stack options are not secure in themselves, if the drivers that interface with them are secured as illustrated in FIG. 2 by executing the drivers in the protected DAS partition 214, then higher overall access control integrity/security levels can be achieved.

As shown in FIG. 2, the service measurement and/or policy control drivers 210 executed in the protected DAS partition 214 represent the DAS drivers that interface to the OS stack device driver interface constructs labeled OS driver framework and interface 208 executed in the kernel execution partition 212, which are in communication with/interface with OS Stack API(s) 207. As also shown, applications, such as applications 106A through 106C execute in the application execution partition 202. In some embodiments, service access control integrity is further enhanced by placing additional measurement points outside of the network stack, so that, for example, if the network stack service usage reporting is hacked, corrupted, and/or compromised, there is a secure additional or back-up service measure located on the device and/or in the network (e.g., modem agent 226 as shown in FIG. 2, which provides a service measurement point in the modem for measuring service usage by the device, and as shown also provides for secure communication with the modem agent 226 using modem encryption 225). For example, the service measure provided by the modem agent 226, modem encryption 225, and/or modem bus 120 functions shown in FIG. 2 can be executed in a protected partition (e.g., modem execution partition 124 as shown in FIG. 2 can be implemented as a secure or protected partition using the various techniques described herein).

FIG. 3 illustrates another secure execution environment 300 for device assisted services in accordance with some embodiments. As shown, some stack elements are executed in the kernel execution partition 312 and some stack elements are executed in the protected DAS execution partition 314. In some embodiments, the DAS agents 104 executed in the application execution partition 302 are directly monitoring and/or controlling stack traffic by intercepting it and imposing additional traffic measurement and/or filtering. Examples of such techniques are described herein with respect to various embodiments. As shown in FIG. 3, the network stack elements 308 are the OS stack elements that reside in the kernel execution partition 312 and the protected DAS network stack elements 310 are the stack elements that reside in protected DAS execution partition 314. For example, as some or potentially all of the stack network traffic processing resides in the protected DAS execution partition 314, a high level of service control integrity can be maintained using these techniques. For example, the modem bus driver 121 can be executed in a secure execution partition, such as modem execution partition 324, which can be implemented as a secure execution partition using the various techniques described herein, or the modem bus driver 121 can be executed in the protected DAS execution partition 314, so that unauthorized programs can be blocked from accessing the access network through the modem.

In some embodiments, the entire stack is executed in the protected DAS execution partition 314 with only a stack API executing in kernel execution partition 312. Various other embodiments involve implementing a minimum (e.g., in terms of a number of agents and/or functionality) in the protected DAS execution partition 314 required to secure a service measure that can be used to confirm the integrity of the service policy implementation (e.g., as described with respect to various other embodiments disclosed herein). As will now be apparent to one of ordinary skill in the art, various combinations of stack processing functions can be implemented in a secure host execution partition to strengthen the service measurement and/or service control integrity of the DAS system using the techniques and/or similar techniques to the various techniques described herein.

In some embodiments, the stack elements implemented in the protected DAS execution partition can include stack API, sockets layer, TCP, UDP, service measurements at one or more points in the stack, IP layer processing, VPN/IPSEC, PPP, access control, traffic classification, traffic queuing, traffic routing, traffic QOS, traffic demand reporting to QOS allocation servers, traffic statistics reporting to the QOS servers, traffic QOS reservation requests including by traffic type or app type or service priority to the servers, traffic throttling, traffic statistics gathering, traffic QOS priority identification, modem drivers, modem data encryption, and/or other stack element functionality or features.

In some embodiments, the above discussed service control mechanisms are controlled by policy commands received over the service control link from the servers or other authorized network elements. In some embodiments, the device also reports usage measures to servers or other authorized network elements. In some embodiments, the device also reports QOS demand to the servers or other authorized network elements and/or accepts QOS instructions from the servers or other authorized network elements. In some embodiments, the device reports traffic statistics, projected traffic demand, application usage, projected QOS demand can all be reported to the servers or other authorized network elements for the purpose of provisioning the right amount of data bandwidth and traffic priority to the device, and the servers or other authorized network elements aggregate such reports from many different devices to project needed allocations across the entire network and make global bearer channel level or base station level decisions bearer channel allocation and bearer channel QOS allocation decisions, which can also be tied into a bearer channel provisioning, or bearer channel QOS provisioning apparatus or other authorized network elements located in the access network.

For example, as will now be apparent to one of ordinary skill in the art in view of the various embodiments described herein, additional security measures, can be added in some embodiments to augment the secure service partitioning, including, for example, access control integrity checks. For example, in addition to the service control policy instructions that can be received from the servers or other authorized network elements, an intermediate policy control agent can be present to make additional higher level decisions on how instantaneous policy should be implemented.

As shown in FIG. 3, the modem control link, shown as modem local channel 330, provides a link from local connection to the host service control link 118, which in turn connects through the host secure channel 150 to the service controller 152. This communication channel can also be implemented or configured to provide for encrypted communication and, in some embodiments, can be used as an alternative to the direct connection from the modem service control link to the network service control link as disclosed with respect to other figures and various embodiments as described herein.

As shown in FIG. 3, the final stack elements that feed or communicate with the modem bus driver 121 are the protected DAS network stack elements 310 located in the protected DAS execution partition 314 (illustrated as a solid line in FIG. 3), or, in some embodiments, can be the network stack elements 308 located in the kernel execution partition 312 (illustrated as a dashed line in FIG. 3). In some embodiments, these final stack elements feed or communicate with the modem subsystem 125. In some embodiments, the modem subsystem 125 includes an encrypted link so that the stack elements 310 in the protected DAS execution partition 314 can communicate with the modem 128 but other software programs or hardware elements cannot, for example, thereby preventing the service measures and/or controls from being inappropriately bypassed or otherwise comprised. For example and as similarly discussed above, the modem subsystem 125, for example, can include its own the protected execution partition using various techniques described herein. The modem protected execution partition, for example, can also include a service measure (e.g., modem agent 226 can provide such a service measurement point in the modem subsystem 125, as similarly described above with respect to FIG. 2) to increase service control integrity verification as depicted by service measure. The modem service measure can be included in protected execution partition that can only be accessed by the service controller 122 by way of the modem local channel 330, or the modem service measure can only be accessed by another DAS agent 310 in protected execution partition 314. In some embodiments, the modem local channel 330 is implemented as a secure channel (e.g., an encrypted communication channel between the modem service control link 130 and the host service control link 118). As described herein, the modem driver can reside in protected service execution environment, or the modem traffic can be encrypted within service execution environment. For example, the encryption settings can be controlled by various secure control servers.

FIG. 4 illustrates another secure execution environment 400 for device assisted services in accordance with some embodiments. In particular, FIG. 4 illustrates a direct stack manipulation option performed by the DAS agents executed in the protected DAS execution partition 414, including, as shown, an app(lication) identify agent 420, an access control integrity agent 422, a policy control agent 424, a policy implementation agent 426, a service measure/service monitoring agent 428, a modem encryption agent 430, and a bus driver 432. For example, the policy implementation agent 426 performs access control and/or traffic shaping according a set of service control policies. The service control policies, for example, can be set by the service controller 122 or by the service controller 122 in coordination with the policy control agent 422. As shown the app identify agent 420 is in communication with the various applications 106A through 106C executed in the application execution partition 402. As also shown, the various applications 106A through 106C executed in the application execution partition 402 are in communication with the OS stack and/or stack API(s) 408 executed in the kernel execution partition 412.

In some embodiments, the protected service measure agent 428, the modem encryption agent 430, the modem driver agent 432, the application identifier agent 420, the access control integrity agent 422, and the policy control agent 424 are all implemented in protected DAS partition 414, as shown. In some embodiments, as will now be apparent to one of ordinary skill in the art, a subset of these functions can be implemented in a protected execution partition, such as the protected DAS partition, in various circumstances.

FIG. 4 also similarly shows various embodiments that are available for network based service usage measures and interfacing to the mediation and billing systems, and it should be understood that any or all of the embodiments and figures can be employed in the context of carrier networks, MVNOs, private networks, or open networks supporting enterprise IT manger controls, parental controls, multi-network controls, and/or roaming controls.

FIG. 5 illustrates another secure execution environment 500 for device assisted services in accordance with some embodiments. In particular, FIG. 5 is similar to that FIG. 4 except that FIG. 5 illustrates a modem service control link 132 that is connected directly to the service controller 122 via the network service control link 152 (e.g., via a modem secure channel). In some embodiments, a modem control link for DAS is established locally on the device or through an entirely different control channel, which, in some embodiments, provides enhanced security as discussed herein (e.g., it is very difficult to hack a service usage measure or service control that cannot be accessed on the device).

FIG. 6 illustrates another secure execution environment 600 for device assisted services in accordance with some embodiments. In particular, FIG. 6 illustrates a policy implementation agent 616 that includes the entire networking stack running in protected execution partition 614 and an OS stack API 608 that includes an application identifying function 620 in the kernel execution partition 612.

FIG. 7 illustrates another secure execution environment 700 for device assisted services in accordance with some embodiments. In particular, FIG. 7 illustrates DAS agents that do not replace the OS network stack elements, but instead one or more DAS agents are comprised of device driver programs that interface into the network stack and pass traffic information or actual traffic back and forth with the stack. These device driver interface constructs are labeled OS driver framework and interface 722 in FIG. 7 as similarly shown in and described with respect to FIG. 2, along with OS stack API 708, which includes application identifier function 720 as similarly discussed above with respect to FIG. 6, and are executed in kernel execution partition 712. Also, as shown, application partition DAS agents 104 are executed in application execution partition 702. The main difference between the embodiment in FIG. 7 and that shown in and described with respect to FIG. 2 is that the service measure agent 428, modem encryption agent 430, and modem driver agent 432 are executed in the protected DAS partition 714, as shown in FIG. 7. For example, this provides for enhanced service control security as described herein with respect to various embodiments.

FIG. 8 illustrates another secure execution environment 800 for device assisted services in accordance with some embodiments. In particular, FIG. 8 illustrates a more simplified embodiment that is similar to that of FIG. 7. In FIG. 8, only an access control integrity agent 422 and a service measure 428 are executed in protected DAS partition 814, and the bus driver 432 and the service measurement and/or policy control drivers 210 are executed in the kernel execution partition 712. This embodiment illustrates that provided that at least one protected service measure is provided on the device, then the DAS service control integrity can be very high. For example, if it is not possible to access the program code or control traffic for the service measure agent 428, and the host service control link 118 except through the encrypted control channel from the service controller 122, then this simplified configuration can be almost as secure as that possible with network based service measures. It will now be apparent to one of ordinary skill in the art that this technique similarly applies to a service measure and control link similarly implemented in a protected modem execution partition 324. In some embodiments, the access control integrity agent 422 provides additional security, for example, in the event that the protected DAS partition 814 is breached or compromised.

FIG. 9 illustrates another secure execution environment 900 for device assisted services in accordance with some embodiments. In particular, FIG. 9 illustrates an embodiment similar to that of FIG. 8 except that, in particular, in addition to the service measure being executed in protected DAS partition 914, the modem encryption agent 430 is also implemented in/executed in the protected DAS partition 914. For example, this prevents unauthorized software from defeating the service measurements and/or service controls by going around the network stack directly to the modem.

FIG. 10 illustrates another secure execution environment 1000 for device assisted services in accordance with some embodiments. In particular, FIG. 10 illustrates an embodiment similar to that of FIG. 9 except that, in particular, there are additional app partition DAS agents 104 executing in the application execution partition 702. For example, this illustrates that some DAS agents can be implemented in application space (e.g., UI agent, policy control agent, and various other DAS agents as described herein) while still maintaining a high level of service measurement and/or control security as long as there are a few key measures and/or controls implemented in protected execution partitions using the various techniques described herein.

FIG. 11 illustrates another secure execution environment 1100 for device assisted services in accordance with some embodiments. In particular, FIG. 11 illustrates how the server cloud can be assisted by the on board access control integrity agent to detect tampering with other service measurement(s) and/or control agent(s), or to protect the service measurement and/or control system from being attacked by malware and/or otherwise comprised. As shown, the access control integrity agent 422 executes inside the protected DAS partition 1114 and is in communication with file storage 1130 (e.g., for persistently maintaining device status and/or other settings or status or monitoring information). The access control integrity agent 422 performs the various access control integrity check functions as, for example, described herein with respect to various embodiments, and, in some embodiments, in coordination with the servers over the secure control channel (e.g., host secure channel 150). In some embodiments, the access control integrity agent 422 can send the service controller 122 information about the other service measurements and/or control agents so that the service controller 122 can determine if the agents are working properly or have been tampered with or otherwise compromised. For example, such information can include sections of code, hashes, code segments, code variations from a previous image, code variations from a historical image, responses to queries, checksums, observations of operating behavior or patterns, service usage, policy implementation behavior, and/or other information that may be indicative of tampering, corruption, and/or a compromise of any of the device agents/measures. In some embodiments, the access control integrity agent 422 checks the operating environment for signs of malware signatures, or sends application and/or driver information or other information about the operating environments to the servers for further processing to detect malware. In some embodiments, the access control integrity agent 422 performs basic operations on protected DAS partition memory, kernel execution partition memory areas, application execution partition memory areas, on disk storage areas or on other file storage areas to detect known malware hashes or signatures, etc., or the access control integrity agent 422 can send the hashes to the servers for comparison against malware databases (e.g., to compare against signatures for known malware or for further behavioral based or other security/malware detection techniques).

In some embodiments, the DAS system is implemented in a manner that is robust to losses in service control link (e.g., coverage outages on a WWAN link or loss of connection on a wired link). In some embodiments, the DAS system to be implemented in a manner that is robust to one or more server elements in the service controller going offline or failing for any reason. The following embodiments facilitate these techniques, as described below.

In some embodiments, it is advantageous for one or more of the device assisted service agents to maintain a record of the service usage reports and/or other reporting that is provided to the service controller regarding device service control state (e.g., present service plan settings, current service usage policy settings, current user preference settings, current DAS settings, current encrypted control channel and/or local encrypted communication channel key information, current DAS agent status reports, current DAS agent security state reports, current ambient service usage and/or transaction records, current service control integrity threat reports, user status information, device status information, application status information, device location, device QOS state, and/or other state and/or settings information). In addition to such information that exists on the device and is reported to the service controller, additional service information can be derived and recorded in the service controller, such as information received from outside the device and/or analysis of the device reported information (e.g., network based service usage measures, analysis of device service usage, comparison of device reports with other information, analysis of access control integrity agent reports, information received from roaming networks, information input to the service controller from parental control terminals, enterprise control terminals, virtual service provider control terminals, access network authorization information, service integrity violation level, and many other types of information used to properly measure and/or control the device services). For example, the information reported from the device and received or derived outside the device that is required to adequately define the actions needed from the service controller to maintain proper DAS system operation is sometimes referred to herein as the “device service state.”

In some embodiments, the service controller functions are highly scalable and can be executed on a number of hardware and software platforms (e.g., different virtual machines in a server, different servers in a data center, or different servers located in different data centers). For example, in such embodiments the service controller can be designed so that the programs that execute the various service controller server functions can derive all of the information necessary to properly manage the device at any moment in time by knowing past device service state and current service state that adequately define the next set of actions the service controller needs to implement to properly maintain the DAS system operation. By designing the system in this way, if the server that is running the service controller server functions for any given device in question were to go down or become disconnected from the device, then another server could later resume proper operation of the DAS system by assigning another service controller server function to the device and recovering or restoring the necessary past device service state and the necessary current device service state.

For example, this can be accomplished in some embodiments as described below. The service controller saves the current device service state into a common database (e.g., which can be centralized or distributed) that is available to all service controller server functions. The device service state is saved each time the device communicates with the service controller, or at regular time intervals, or a combination of both. The device retains its current and past service state reports even after they are reported at least until the service controller sends the device a message confirming that the service controller has saved a given device service state. Once the device receives this save confirmation for a given device state report then it is no longer required to retain that particular device state report once the device has no further use for it. In this manner, if a service controller server function goes down then a save confirmation for one or more reported device states is not transmitted to the device by the service controller, and the device can retain that report. A server load balancer detects that a given service controller server function has gone down, looks up the devices that were being controlled by that service controller server function, finds that the device in question was one of those devices and re-assigns a new service controller server function (either in the same data center or in another data center) to control the device in question. The newly assigned service controller server function then recovers all past device states that were recorded in the service controller database and are required to properly manage the DAS system, and then asks the device to transmit or re-transmit all device state reports that were not saved in the service controller database. Once the device transmits or re-transmits the requested information, the newly assigned service controller function then has the information it needs to properly manage the DAS system, it saves all the reported device state information, and then sends save confirmations to the device so that the device need no longer retain the older service state reports. The newly assigned service controller server function can then resume the DAS system operation with a set of actions that are identical or very similar to the actions that would have been taken by the original service controller server function if it had not gone down. One of ordinary skill in the art will now appreciate that the above techniques can also be used to accommodate temporary losses in the connection between the device and the service controller. For example, such techniques provide for a highly scalable and robust approach to implement a distributed service controller across multiple data centers for reliable service redundancy. In some embodiments, the past device service state information is saved in the protected DAS execution partition and/or the modem execution partition, for example, so that it is protected from corruption.

Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.

INCORPORATION BY REFERENCE

This application incorporates the following provisional and nonprovisional U.S. patent applications by reference: application Ser. No. 12/694,445, filed Jan. 27, 2010, entitled SECURITY TECHNIQUES FOR DEVICE ASSISTED SERVICES; application Ser. No. 12/380,780, filed Mar. 2, 2009, entitled AUTOMATED DEVICE PROVISIONING AND ACTIVATION; Application No. 61/206,354, filed Jan. 28, 2009, entitled SERVICES POLICY COMMUNICATION SYSTEM AND METHOD; provisional Application No. 61/206,944, filed Feb. 4, 2009, entitled SERVICES POLICY COMMUNICATION SYSTEM AND METHOD; provisional Application No. 61/207,393, filed Feb. 10, 2009, entitled SERVICES POLICY COMMUNICATION SYSTEM AND METHOD; provisional Application No. 61/207,739, filed Feb. 13, 2009, entitled SERVICES POLICY COMMUNICATION SYSTEM AND METHOD; and provisional Application No. 61/252,151, filed on Oct. 15, 2009, entitled SECURITY TECHNIQUES FOR DEVICE ASSISTED SERVICES. 

What is claimed is:
 1. A system, comprising: a processor of a communications device configured to: implement a service profile executed at least in part in a secure execution environment for assisting control of the communications device use of a service on a wireless network, wherein the service profile includes a plurality of service policy settings, and wherein the service profile is associated with a service plan that provides for access to the service on the wireless network; operate a host service control link in the secure execution environment to connect securely to a network service controller through a first control channel, the host service control link to receive one or more messages from the network service controller through the first control channel, and based on the one or more messages, to update one or more of the service policy settings; monitor use of the service based on the service profile; and verify the use of the service based on the monitored use of the service; a memory of the communications device coupled to the processor and configured to provide the processor with instructions, the memory comprising a secure partition accessible only from the secure execution environment; and a secure modem subsystem including: a wireless modem to communicate with the wireless network; a modem control link to connect securely to the network service controller through a second control channel.
 2. The system of claim 1, wherein the second control channel connects the modem control link to the network service controller through a modem local channel on the communications device, the modem local channel providing secure communication between the modem control link and the host service control link.
 3. The system of claim 1, wherein the second control channel is separately secured from the first control channel.
 4. The system of claim 1, wherein the secure modem subsystem further comprises a modem agent accessible only by the network service controller through the second control channel.
 5. The system of claim 4, wherein the modem agent comprises a service measurement point for use of the service.
 6. The system of claim 5, wherein the modem agent communicates a report of the use of the service to the network service controller through the second control channel.
 7. The system of claim 6, wherein the processor separately communicates a report of the monitored use of the service from the secure execution environment through the first control channel.
 8. The system of claim 1, wherein the one or more service policy settings updated through the host service control link include an access control setting, a traffic control setting, and/or an admission control setting.
 9. The system of claim 1, wherein the one or more service policy settings updated through the host service control link include a network or device management communication setting.
 10. The system of claim 1, wherein the secure execution environment is implemented at least in part as a hardware partition.
 11. The system of claim 1, wherein the secure execution environment is implemented at least in part as a software partition.
 12. The system of claim 1, wherein the secure execution environment is implemented at least in part in a virtual machine executed on the processor. 